Merge pull request #12 from Badger-Finance/update-image #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull Request - Build and Deploy to Development Environment | |
| on: | |
| push: | |
| branches: | |
| - main | |
| env: | |
| TARGET_ENVIRONMENT: 'dev' | |
| MANIFEST_RESPOSITORY: 'badger-finance/badger-kube-manifests' | |
| IMAGE_NAME: '/badger/${{ github.event.repository.name }}:${{ github.event.after }}' | |
| jobs: | |
| build: | |
| name: Build Container Image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Service | |
| uses: actions/checkout@main | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-west-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Build, tag, and push image to Amazon ECR | |
| run: | | |
| docker build --build-arg BOT_TOKEN=${{ secrets.BOT_TOKEN }} -t ${{ steps.login-ecr.outputs.registry }}${{ env.IMAGE_NAME }} . | |
| docker push ${{ steps.login-ecr.outputs.registry }}${{ env.IMAGE_NAME }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: '${{ steps.login-ecr.outputs.registry }}${{ env.IMAGE_NAME }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| validate_manifest: | |
| name: Run Manifest Validation | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Service | |
| uses: actions/checkout@main | |
| - name: Run Manifest Validation | |
| run: | | |
| make install_validate_manifest | |
| make validate_manifest TARGET_ENVIRONMENT=${{ env.TARGET_ENVIRONMENT }} | |
| deploy-dev: | |
| name: Release to Development Environemnt | |
| runs-on: ubuntu-latest | |
| needs: [build, validate_manifest] | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-west-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Checkout Service | |
| uses: actions/checkout@main | |
| with: | |
| ref: ${{ github.head_ref }} | |
| - name: Checkout Manifest Repository | |
| shell: bash | |
| run: | | |
| set -Eeuxo pipefail | |
| WORKDIR="$(pwd)/manifests" | |
| echo "Getting Git version info" | |
| echo "Working directory is $WORKDIR" | |
| /usr/bin/git version | |
| echo "Initializing the repository" | |
| /usr/bin/git init $WORKDIR | |
| cd $WORKDIR | |
| /usr/bin/git remote add origin https://github.com/${{ env.MANIFEST_RESPOSITORY }} | |
| echo "Disabling automatic garbage collection" | |
| /usr/bin/git config --local gc.auto 0 | |
| echo "Setting up auth" | |
| git config --local user.email "[email protected]" | |
| git config --local user.name "${{ github.actor }}" | |
| /usr/bin/git config --local http.https://github.com/.extraheader "AUTHORIZATION: basic $(echo -n x-access-token:${{ secrets.GH_TOKEN }} | base64 )" | |
| echo "Fetching the repository" | |
| /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +refs/heads/${{ env.TARGET_ENVIRONMENT }}*:refs/remotes/origin/${{ env.TARGET_ENVIRONMENT }}* +refs/tags/${{ env.TARGET_ENVIRONMENT }}*:refs/tags/${{ env.TARGET_ENVIRONMENT }}* | |
| echo "Determining the checkout info" | |
| /usr/bin/git branch --list --remote origin/${{ env.TARGET_ENVIRONMENT }} | |
| echo "Checking out the ref" | |
| /usr/bin/git checkout --progress --force -B ${{ env.TARGET_ENVIRONMENT }} refs/remotes/origin/${{ env.TARGET_ENVIRONMENT }} | |
| /usr/bin/git log -1 --format='%H' | |
| - name: Create Application Definition | |
| shell: bash | |
| run: | | |
| set -Eeuxo pipefail | |
| echo "Creating Application Definition" | |
| echo "sed \"s/TARGET_ENVIRONMENT/${{ env.TARGET_ENVIRONMENT }}/g\"" | |
| mkdir -p manifests/applications/ | |
| cat ./.deploy/.app.yaml | sed "s/TARGET_ENVIRONMENT/${{ env.TARGET_ENVIRONMENT }}/g" \ | |
| > manifests/applications/${{ github.event.repository.name }}.yaml | |
| - name: Kustomize Manifest | |
| shell: bash | |
| run: | | |
| echo "Install Kustomize" | |
| curl -o kustomize.tar.gz --location https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.1/kustomize_v3.8.1_linux_amd64.tar.gz | |
| tar -xzvf kustomize.tar.gz | |
| echo "Maybe Create Manifest Directory" | |
| mkdir -p manifests/${{ github.event.repository.name }}/ | |
| echo "Kustomize Manifest and Replace with SHA" | |
| ./kustomize build ./.deploy/ | | |
| sed --expression "s@IMAGE_NAME@${{ steps.login-ecr.outputs.registry }}${{ env.IMAGE_NAME }}@g" \ | |
| > manifests/${{ github.event.repository.name }}/manifest.yaml | |
| - name: Commit and Push New Manifest | |
| shell: bash | |
| run: | | |
| echo "Commit New Manifest" | |
| cd manifests | |
| git config --local user.email "[email protected]" | |
| git config --local user.name "${{ github.actor }}" | |
| git add ${{ github.event.repository.name }} applications/ | |
| git commit -m "Deploying ${{ github.event.repository.name }}:${{ github.event.pull_request.head.sha }}" || echo "¯\_(ツ)_/¯ Nothing changed, so nothing committed, and nothing new will be pushed to manifests." | |
| echo "Push New Manifest" | |
| git push https://${{ github.actor }}:${{ secrets.GH_TOKEN }}@github.com/${{ env.MANIFEST_RESPOSITORY }}.git HEAD:${{ env.TARGET_ENVIRONMENT }} | |
| notify: | |
| name: Notify Chat | |
| if: always() | |
| runs-on: ubuntu-latest | |
| needs: [deploy-dev] | |
| steps: | |
| - name: Send status to Discord | |
| uses: nebularg/actions-discord-webhook@v1 | |
| with: | |
| webhook_url: ${{ secrets.CICD_DISCORD_WEBHOOK }} | |
| status: ${{ job.status }} |